On Tue, Dec 26, 2023 at 08:09:54PM +0100, Andreas Rheinhardt wrote:
> Michael Niedermayer:
> > Fixes: out of array access
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6227491892887552
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6268561729126400
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6414805046788096
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6538151088488448
> > Fixes: 62164/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_OSQ_fuzzer-6608131540779008
> > 
> > Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg
> > Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
> > ---
> >  libavcodec/osq.c | 10 ++++++++++
> >  1 file changed, 10 insertions(+)
> > 
> > diff --git a/libavcodec/osq.c b/libavcodec/osq.c
> > index 435f3ea7f69..abe15c97f18 100644
> > --- a/libavcodec/osq.c
> > +++ b/libavcodec/osq.c
> > @@ -61,6 +61,15 @@ typedef struct OSQContext {
> >      int pkt_offset;
> >  } OSQContext;
> >  
> > +static void osq_flush(AVCodecContext *avctx)
> > +{
> > +    OSQContext *s = avctx->priv_data;
> > +
> > +    s->bitstream_size = 0;
> > +    s->pkt_offset = 0;
> > +    av_packet_unref(s->pkt);
> 
> s->pkt is the same as avctx->internal->in_pkt which is unreferenced
> generically upon flush. So this is unnecessary.

will apply without this

thx

[...]
-- 
Michael     GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB

Nations do behave wisely once they have exhausted all other alternatives. 
-- Abba Eban